Archive for May 11th, 2012

The demise of Beastie Boys’ Adam Yauch (also known by his moniker MCA) have resonated among hip hop fans these past days. Sadly, we have seen a particular attack that targets specific recipients and used this news item as a social engineering lure.

We have found an email sample that leverages Yauch’s death to entice users to download and open the malicious attachment. The message appears as a news item from a non-profit organization that features the late musician’s recent passing. It also contains a .DOC file attachment, which is supposed to contain the complete story. Users who download and open the .DOC attachment are actually executing a malware detected by Trend Micro as TROJ_DROPPR.JET. This Trojan file drops another malicious file, detected as particular TROJ_SWYSYN.SME, that connects to possibly malicious URLs.

Celebrity news items, whether factual or not, have been a staple bait in cybercriminal attacks. Adam Yauch’s death is just one of the several web threats that took advantage of the death of famous music icons. Similar threats include the string of clickjacking attacks that used the demise of Whitney Houston, Amy Winehouse, and even Lady Gaga‘s supposed death.

Trend Micro users need not worry as they are protected via the Smart Protection Network™, which detects and deletes the related malware and blocks spam with malicious attachments with its file and email reputation technology. To know more about how attackers take advantage of noteworthy news items e.g. celebrity gossips and news and other social engineering tricks, you may read our comprehensive e-guide “How Social Engineering Works”.

While gamers from North America and Europe are still waiting for the release of Diablo III this coming Tuesday (May 15), cybercriminals have already gone ahead and started taking advantage.

We found a search result for the string “diablo 3 free download” leading to a survey scam — a scheme frequently seen deployed through Facebook.

The search result below (highlighted in yellow) directs to the a page which appears to be the download page for Diablo III:

However, clicking the download button only leads to the following survey page:

Another result, one supposedly leading to a YouTube page (highlighted in red in Figure 1), leads to the following page:

Entering the site, the visitor is met with instructions that they need to follow in order to be able to download the beta version of Diablo III. Interestingly, the steps involve sharing a link through Facebook three times — once on the users’ wall and twice on game pages.

Of course, following the instructions do not really lead to a file download, instead only directing to yet another survey page:

As enticing as it is to be able to download a very popular game right before everyone else does, users should keep in mind that such shady offers are widely used as bait by cybercriminals.

Diablo 3 is not the first game used by cybercriminals for schemes, we’ve seen other popular games such as World of Warcraft and Grand Theft Auto being used in the past.